Reputation: 595
AWS VPC: restricting user to create/delete its own VPC
Conceptually is it possible to create an IAM policy such that developer can only create/delete its own 50-net (e.g. 50.10.0.0/16) VPC? Or do we usually rather having the network admin to allocate the VPC to developer coming on board?
I want to organize the org such that
User : VPC
dev-1: 50.10.0.0/16
dev-2: 50.20.0.0/16
dev-3: 50.30.0.0/16
Thanks!
Upvotes: 0
Views: 164
Answers (1)
Reputation: 270094
A CIDR range starting with 50. is publicly routable and should generally be avoided. It is better to allocate ranges from these address blocks, which are intended for private use:
- 10.0.0.0 to 10.255.255.255
- 172.16.0.0 to 172.31.255.255
- 192.168.0.0 to 192.168.255.255
See: What Is a Private IP Address & What Are the Ranges?
Multiple VPCs can be created with the same CIDR range, so each developer could have their own range of private IP addresses that overlap each other. It simply means that they cannot be (easily) joined together.
It is not possible to restrict a user's CIDR range when creating a VPC.
See: Supported Resource-Level Permissions for Amazon EC2 API Actions - Amazon Elastic Compute Cloud
You can, however, restrict which actions they may use. So, you might provide them with a VPC, deny permissions to create other VPCs, but allow them to create/delete subnets within the VPC.
See: Controlling Access to Amazon VPC Resources - Amazon Virtual Private Cloud
Upvotes: 1
Related Questions
- AWS - How to limit Amazon S3 access to a VPC
- Restrict lambda permissions to access VPCs
- Restrict IAM users to a single VPC
- AWS IAM Policy - Restrict VPC Tenancy
- AWS deny access to VPC
- IAM policy to restrict users to instances in a specific VPC
- How to deny other users/roles from creating EC2 instances with an IAM role
- AWS: How to secure VPC admin to a single IAM user
- Permission to not allow IAM USER instance to create new instance
- How to allow AWS user to start instances only in one VPC by ID or TAG?